Bug#295526: libpam-unix2 only works as root
On Fri May 16, 2008 at 17:24:43 -0700, Ivan Kohler wrote: Please ask if members of the Security Audit project could review the setuid program in the bugreport and Cc: [EMAIL PROTECTED] with any findings or discussion. (As this is a non-Debian mailing list requiring subscription to post, I am unable to simply Cc: the list on the bugreport as I would when asking a typical group to participate.) I saw no problems, and wouldn't object to the submitted attachment being a setuid binary. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#295526: libpam-unix2 only works as root
On Thu, May 15, 2008 at 01:16:05PM -0700, Ivan Kohler wrote: On Thu, May 15, 2008 at 12:30:21PM -0700, Steve Langasek wrote: On Wed, May 14, 2008 at 07:36:14PM -0700, Ivan Kohler wrote: On Tue, May 13, 2008 at 10:36:33AM +0200, Christoph Pleger wrote: Hello, - The patch needs to be updated to apply against the current package in unstable. Done. I have attached a patch for unix_auth.c and, importantly: - we need some some code review/feedback/signoff from the Debian folks maintaining PAM and other related components. I am *NOT* going to be the guy who uploads a new setuid binary without adequate review. Will you contact them? I have Cc:'ed [EMAIL PROTECTED], the PAM maintainers: Please review unix2_chkpwd.c (and the patch to unix_auth.c to use it) in this bugreport and let us know if you feel it secure to include as a setuid root binary (like vanilla PAM's /bin/unix_chkpwd). I'm sorry, I have no time to commit to doing an audit of this code. You may wish to look at the Debian Security Audit project: http://www.debian.org/security/audit/faq Do you (or anyone else) happen to have a public contact address to suggest? The page only points to a non-Debian mailing list, and it seems bad form to subscribe [EMAIL PROTECTED] Steve Kemp, who's listed as starting the project, is [EMAIL PROTECTED] Otherwise, I would expect that contacting the debian-audit mailing list should be fine. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#295526: libpam-unix2 only works as root
On Fri, May 16, 2008 at 04:58:41PM -0700, Steve Langasek wrote: On Thu, May 15, 2008 at 01:16:05PM -0700, Ivan Kohler wrote: On Thu, May 15, 2008 at 12:30:21PM -0700, Steve Langasek wrote: On Wed, May 14, 2008 at 07:36:14PM -0700, Ivan Kohler wrote: On Tue, May 13, 2008 at 10:36:33AM +0200, Christoph Pleger wrote: Hello, - The patch needs to be updated to apply against the current package in unstable. Done. I have attached a patch for unix_auth.c and, importantly: - we need some some code review/feedback/signoff from the Debian folks maintaining PAM and other related components. I am *NOT* going to be the guy who uploads a new setuid binary without adequate review. Will you contact them? I have Cc:'ed [EMAIL PROTECTED], the PAM maintainers: Please review unix2_chkpwd.c (and the patch to unix_auth.c to use it) in this bugreport and let us know if you feel it secure to include as a setuid root binary (like vanilla PAM's /bin/unix_chkpwd). I'm sorry, I have no time to commit to doing an audit of this code. You may wish to look at the Debian Security Audit project: http://www.debian.org/security/audit/faq Do you (or anyone else) happen to have a public contact address to suggest? The page only points to a non-Debian mailing list, and it seems bad form to subscribe [EMAIL PROTECTED] Steve Kemp, who's listed as starting the project, is [EMAIL PROTECTED] Otherwise, I would expect that contacting the debian-audit mailing list should be fine. Hi Steve Kemp, Please ask if members of the Security Audit project could review the setuid program in the bugreport and Cc: [EMAIL PROTECTED] with any findings or discussion. (As this is a non-Debian mailing list requiring subscription to post, I am unable to simply Cc: the list on the bugreport as I would when asking a typical group to participate.) Thanks! -- _ivan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#295526: libpam-unix2 only works as root
Hello, I have Cc:'ed [EMAIL PROTECTED], the PAM maintainers: Here are the .dsc and the .diff.gz file for my current version of libpam-unix2. I have included unix2_chkpwd.c and unix2_chkpwd.8 in a separate subdirectory (which will appear when dpatching), wrote a Makefile, added the necessary steps in debian/rules to build and install unix2_chkpwd, and added Olaf Kirch as an upstream author. Regards Christoph -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#295526: libpam-unix2 only works as root
Hello, - The patch needs to be updated to apply against the current package in unstable. Done. I have attached a patch for unix_auth.c Here are the .diff.gz and the .dsc file for my current version of libpam-unix2. I created a separate subdirectory for unix2_chkpwd (which will appear when dpatching), wrote a Makefile, added the necessary steps in debian/rules to build and install unix2_chkpwd, and added Olaf Kirch as an upstream author. Regards Christoph libpam-unix2_2.1-5.diff.gz Description: GNU Zip compressed data Format: 1.0 Source: libpam-unix2 Binary: libpam-unix2 Architecture: any Version: 2.1-5 Maintainer: Ivan Kohler [EMAIL PROTECTED] Standards-Version: 3.6.0 Build-Depends: autoconf, debhelper (= 4.0.0), dpatch, libpam0g-dev (= 0.81), libtool, libxcrypt-dev Files: d185fca919a9244dedda5e1b16a5ef58 251846 libpam-unix2_2.1.orig.tar.gz 18fe1fc13c18c35199e61b359ab5d2f7 24247 libpam-unix2_2.1-5.diff.gz
Bug#295526: libpam-unix2 only works as root
On Wed, May 14, 2008 at 07:36:14PM -0700, Ivan Kohler wrote: On Tue, May 13, 2008 at 10:36:33AM +0200, Christoph Pleger wrote: Hello, - The patch needs to be updated to apply against the current package in unstable. Done. I have attached a patch for unix_auth.c and, importantly: - we need some some code review/feedback/signoff from the Debian folks maintaining PAM and other related components. I am *NOT* going to be the guy who uploads a new setuid binary without adequate review. Will you contact them? I have Cc:'ed [EMAIL PROTECTED], the PAM maintainers: Please review unix2_chkpwd.c (and the patch to unix_auth.c to use it) in this bugreport and let us know if you feel it secure to include as a setuid root binary (like vanilla PAM's /bin/unix_chkpwd). I'm sorry, I have no time to commit to doing an audit of this code. You may wish to look at the Debian Security Audit project: http://www.debian.org/security/audit/faq -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#295526: libpam-unix2 only works as root
On Thu, May 15, 2008 at 12:30:21PM -0700, Steve Langasek wrote: On Wed, May 14, 2008 at 07:36:14PM -0700, Ivan Kohler wrote: On Tue, May 13, 2008 at 10:36:33AM +0200, Christoph Pleger wrote: Hello, - The patch needs to be updated to apply against the current package in unstable. Done. I have attached a patch for unix_auth.c and, importantly: - we need some some code review/feedback/signoff from the Debian folks maintaining PAM and other related components. I am *NOT* going to be the guy who uploads a new setuid binary without adequate review. Will you contact them? I have Cc:'ed [EMAIL PROTECTED], the PAM maintainers: Please review unix2_chkpwd.c (and the patch to unix_auth.c to use it) in this bugreport and let us know if you feel it secure to include as a setuid root binary (like vanilla PAM's /bin/unix_chkpwd). I'm sorry, I have no time to commit to doing an audit of this code. You may wish to look at the Debian Security Audit project: http://www.debian.org/security/audit/faq Do you (or anyone else) happen to have a public contact address to suggest? The page only points to a non-Debian mailing list, and it seems bad form to subscribe [EMAIL PROTECTED] -- _ivan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#295526: libpam-unix2 only works as root
On Tue, May 13, 2008 at 10:36:33AM +0200, Christoph Pleger wrote: Hello, - The patch needs to be updated to apply against the current package in unstable. Done. I have attached a patch for unix_auth.c and, importantly: - we need some some code review/feedback/signoff from the Debian folks maintaining PAM and other related components. I am *NOT* going to be the guy who uploads a new setuid binary without adequate review. Will you contact them? I have Cc:'ed [EMAIL PROTECTED], the PAM maintainers: Please review unix2_chkpwd.c (and the patch to unix_auth.c to use it) in this bugreport and let us know if you feel it secure to include as a setuid root binary (like vanilla PAM's /bin/unix_chkpwd). Thanks! -- _ivan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#295526: libpam-unix2 only works as root
Hello, - The patch needs to be updated to apply against the current package in unstable. Done. I have attached a patch for unix_auth.c and, importantly: - we need some some code review/feedback/ignoff from the Debian folks maintaining PAM and other related components. I am *NOT* going to be the guy who uploads a new setuid binary without adequate review. Will you contact them? unix2_chkpwd.c is available for example in the file pam-modules-10.3-47.src.rpm of OpenSuSE 10.3. Installing that file on a Debian system (with rpm -i) unpacks unix2_chkpwd.c into /usr/src/rpm/SOURCES/. This is interesting new information. You're saying unix2_chkpwd.c has an upstream somewhere (separate from pam_unix2)? Well, not completely separate, because pam-unix2 is also part of pam-modules-10.3-47.src.rpm Is there somewhere where one can download the current unix2_chkpwd source, on its own and not as part of the SuSE PAM source RPM? Though I searched for a while, I could not find it elsewhere. Regards Christoph diff -Naurp libpam-unix2-2.1.orig/src/unix_auth.c libpam-unix2-2.1/src/unix_auth.c --- libpam-unix2-2.1.orig/src/unix_auth.c 2006-11-06 14:57:01.0 +0100 +++ libpam-unix2-2.1/src/unix_auth.c 2008-05-13 10:05:44.361127527 +0200 @@ -57,6 +57,7 @@ #define PAM_SM_AUTH #include security/pam_modules.h +#include security/_pam_macros.h #if defined (HAVE_SECURITY_PAM_EXT_H) #include security/pam_ext.h #endif @@ -69,6 +70,7 @@ #include public.h +#define CHKPWD_HELPER /sbin/unix2_chkpwd /* This module actually performs UNIX/shadow authentication. */ @@ -121,6 +123,76 @@ need_password (pam_handle_t *pamh, const return 0; } +static int _unix2_run_helper_binary(pam_handle_t *pamh, const char *passwd, +const char *user, const options_t *options) +{ +int retval, child, fds[2]; +sigset_t sigset; +char *service; + +pam_get_item (pamh, PAM_SERVICE, (void *) service); + +if (options-debug) + pam_syslog (pamh, LOG_DEBUG, _unix2_run_helper_binary called.); +/* create a pipe for the password */ +if (pipe(fds) != 0) { + if (options-debug) + pam_syslog (pamh, LOG_DEBUG, could not make pipe); + return PAM_AUTH_ERR; +} + +/* Block SIGCHLD */ +sigemptyset(sigset); +sigaddset(sigset, SIGCHLD); +sigprocmask(SIG_BLOCK, sigset, 0); + +/* fork */ +child = fork(); +if (child == 0) { + char *args[] = { NULL, NULL, NULL, NULL }; + static char *envp[] = { NULL }; + + /* XXX - should really tidy up PAM here too */ + + /* reopen stdin as pipe */ + close(fds[1]); + dup2(fds[0], STDIN_FILENO); + + /* exec binary helper */ + args[0] = x_strdup(CHKPWD_HELPER); + args[1] = x_strdup(service); + args[2] = x_strdup(user); + + execve(CHKPWD_HELPER, args, envp); + + /* should not get here: exit with error */ + if (options-debug) + pam_syslog (pamh, LOG_DEBUG, helper binary is not available); + exit(PAM_AUTHINFO_UNAVAIL); +} else if (child 0) { + if (passwd != NULL) {/* send the password to the child */ + write(fds[1], passwd, strlen(passwd)+1); + passwd = NULL; + } else { + write(fds[1], , 1);/* blank password */ + } + close(fds[0]); /* close here to avoid possible SIGPIPE above */ + close(fds[1]); + (void) waitpid(child, retval, 0); /* wait for helper to complete */ + retval = (retval == 0) ? PAM_SUCCESS:PAM_AUTH_ERR; +} else { + if (options-debug) + pam_syslog (pamh, LOG_DEBUG, fork failed); + retval = PAM_AUTH_ERR; +} + +/* Unblock SIGCHLD */ +sigprocmask(SIG_BLOCK, sigset, 0); + +if (options-debug) + pam_syslog (pamh, LOG_DEBUG, returning %d, retval); +return retval; +} int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, @@ -303,7 +375,7 @@ pam_sm_authenticate (pam_handle_t *pamh, salt = strdupa (sp-sp_pwdp); else { - if (strcmp (pw-pw_passwd, x) == 0) + if ((strcmp (pw-pw_passwd, x) == 0) ((geteuid() == 0))) __write_message (pamh, flags, PAM_TEXT_INFO, _(Permissions on the password database may be too restrictive.)); salt = strdupa (pw-pw_passwd); @@ -325,10 +397,21 @@ pam_sm_authenticate (pam_handle_t *pamh, if (strcmp (crypt_r (password, salt, output), salt) != 0) { + if (geteuid()) + { + /* we are not root, perhaps this is the reason? Run helper */ + if (options.debug) + pam_syslog (pamh, LOG_DEBUG, running helper binary); + + retval = _unix2_run_helper_binary(pamh, password, name, options); + return retval; + } + if (options.debug) pam_syslog (pamh, LOG_DEBUG, wrong password, return PAM_AUTH_ERR); return PAM_AUTH_ERR; } + if (options.debug) pam_syslog (pamh, LOG_DEBUG, pam_sm_authenticate: PAM_SUCCESS); return PAM_SUCCESS; @@ -424,3 +507,18 @@ pam_sm_setcred (pam_handle_t *pamh, int pam_syslog (pamh, LOG_DEBUG, pam_sm_setcred: PAM_SUCCESS); return PAM_SUCCESS; } + + + + + + + + + + + + + + +
Bug#295526: libpam-unix2 only works as root
Hello, - The patch needs to be updated to apply against the current package in unstable. Done. I have attached a patch for unix_auth.c The unnecessary extra empty lines at the end of the file came in by mistake and can be deleted. Regards Christoph -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#295526: libpam-unix2 only works as root
On Thu, May 08, 2008 at 05:25:24PM +0200, Christoph Pleger wrote: Hello, The former seems to make more sense to me. Myself as well, but I'm hesitant to blindly include the old patch unless someone picks it up, updates or rewrites it for current code, and gets some code review from current PAM folks. As far as I can see, my old changes should still apply to the current etch version of libpam-unix2. Getting a fix past the release-managers into etch is probably a lost cause. We can include a fix in a normal upload to unstable. If we are quick, we can probably even make it into lenny, the next release. As my message says, what needs to be done to resolve this bug: - The patch needs to be updated to apply against the current package in unstable. and, importantly: - we need some some code review/feedback/ignoff from the Debian folks maintaining PAM and other related components. I am *NOT* going to be the guy who uploads a new setuid binary without adequate review. unix2_chkpwd.c is available for example in the file pam-modules-10.3-47.src.rpm of OpenSuSE 10.3. Installing that file on a Debian system (with rpm -i) unpacks unix2_chkpwd.c into /usr/src/rpm/SOURCES/. This is interesting new information. You're saying unix2_chkpwd.c has an upstream somewhere (separate from pam_unix2)? That's odd, but certainly a better situation to be in than a random one-off piece of code. Is there somewhere where one can download the current unix2_chkpwd source, on its own and not as part of the SuSE PAM source RPM? Someone really needs to pick up the ball and run with it as described above if they want this issue fixed. Unfortunately I don't have time for that myself in the near future. Dear LazyNet, the bug is tagged help, please do! :) -- _ivan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#295526: libpam-unix2 only works as root
Hello, The former seems to make more sense to me. Myself as well, but I'm hesitant to blindly include the old patch unless someone picks it up, updates or rewrites it for current code, and gets some code review from current PAM folks. As far as I can see, my old changes should still apply to the current etch version of libpam-unix2. unix2_chkpwd.c is available for example in the file pam-modules-10.3-47.src.rpm of OpenSuSE 10.3. Installing that file on a Debian system (with rpm -i) unpacks unix2_chkpwd.c into /usr/src/rpm/SOURCES/. By the way, the first lines in unix2_chkpwd.c are: /* * Set*id helper program for PAM authentication. * * It is supposed to be called from pam_unix2's * pam_sm_authenticate function if the function notices * that it's unable to get the password from the shadow file * because it doesn't have sufficient permissions. Regards Christoph -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#295526: libpam-unix2 only works as root
Just wanted to check status on this and whether the suggested approach will be used for libpam-unix2? Refer to bug #440955. Looks like the options are to make the changes in libpam-unix2 where the setuid executable can be contained in a small specific file (unix2_chkpwd) or whether the other option is to make every program such as gnome-screensaver setuid root. The former seems to make more sense to me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#295526: libpam-unix2 only works as root
tags 295526 help thanks On Mon, Apr 07, 2008 at 08:58:25PM +0100, Charles Darke wrote: Just wanted to check status on this and whether the suggested approach will be used for libpam-unix2? Refer to bug #440955. Looks like the options are to make the changes in libpam-unix2 where the setuid executable can be contained in a small specific file (unix2_chkpwd) or whether the other option is to make every program such as gnome-screensaver setuid root. The former seems to make more sense to me. Myself as well, but I'm hesitant to blindly include the old patch unless someone picks it up, updates or rewrites it for current code, and gets some code review from current PAM folks. -- _ivan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#295526: libpam-unix2 only works as root
Hello, After a long time I just revisited my bug report for libpam-unix2 and the following discussion. If you'd like to help, please run the changes by the current PAM policy maintainer Sam Hartman [EMAIL PROTECTED], and also upstream, Thorsten Kukuk [EMAIL PROTECTED] - I'm curious if SuSE has this bug with pam_unix2 also and if they solved it differently? I just sent the changes to Sam Hartman _ I hope that he is still the PAM policy maintainer. SuSE does not have this problem with pam_unix2 as all mentioned screensaver programs (with exception of xscreensaver) are setuid root. For xscreensaver, setuid root does not help, so SuSE uses a hack so that xscreensaver calls the helper binary unix2_chkpwd. In Debian, the screensaver programs are not setuid root, because the normal authentication module pam_unix uses a helper binary unix_chkpwd that is setuid root. Christoph -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]